WordPress web sites and the standard FixturesLive web plugin - code changes

(This article is only relevant to WordPress sites which aren't built/hosted by FixturesLive - such sites and their plugins are unaffected)

Since late July 2015, some WordPress sites which use our standard plugin have been affected, with the content failing to load correctly. This was caused by a wider security fix by WordPress, and our perfectly safe plugin was caught up in this. The upgrade was unannounced, so were unable to notify anyone in advance.

Please note that you will not be able to make changes unless you are an Administrator of your site.

If your site has not been upgraded to WordPress 4.2.3

You need to go into each page, and edit the code in the Text view. Your code looks like this:


If your site has been upgraded to WordPress 4.2.3

WordPress has added extra code, which includes code like "[CDATA"

You need to edit the code to remove this, so that your code looks like the example above.

If you aren't clear how to do this, you need to return to the relevant page on FixturesLive, and hover over the "Embed" link in the bottom right, and paste that into your site.

Explanation for techies

The WordPress 4.2.3 upgrade fixed a cross-site security (XSS) vulnerability, which was allowing non-admins, such as site commenters, to post content including javascript files, which is a common hacker method. Good to know this is prevented.

The FixturesLive embedding code was created in 2007, and has been added to thousands of sites without problems till now. As you can see from the image above, we had wrapped 2 variables inside html comments, inside a javascript tag. WordPress no longer handles this syntax, and, in the upgrade, had added its own code to comment out our variables.

The 4.2.3 upgrade was unnannounced, which is understandable but has caused problems on many sites.
Return to support home page Article viewed 6,236 times Created 29 July 2015 Last updated 29 July 2015